Sophos Solarwinds



  1. SolarWinds breach: how to identify if you have been affected Start a Sophos demo in less than a minute. See exactly how our solutions work in a full environment without a commitment.
  2. SolarWinds itself didn't know either. The US company had been the victim of a cyber-attack weeks previously that had seen hackers inject a tiny piece of secret code into the company's next.

SolarWinds vs Sophos: Which one has the right products for your company? We compared these products and thousands more to help professionals like you find the perfect solution for your business. Let IT Central Station and our comparison database help you with your research.

** We will update this article with additional information as it becomes available. We have also published a playbook to guide any security team that has SolarWinds in their environment and is looking to initiate incident response. **

Download vst for mac. Last updated: [2020-12-18 22:35 UTC] – view changelog

SolarWinds, an IT monitoring specialist, reported last Sunday that it had fallen victim to a “highly-sophisticated, manual supply chain attack … likely by a nation state.”

The compromised products are SolarWinds Orion versions 2019.4 through 2020.2.1.

How to identify if you are running an impacted SolarWinds Orion version?

Sophos customers can identify whether they are running a vulnerable version in multiple ways:

Sophos MTR customers

The MTR team is actively monitoring all protected customer environments and has already contacted affected customers directly to discuss remedial action.

Sophos EDR customers

EDR customers can run the dedicated query below to hunt for affected versions (updates will be posted here):

Additionally, EDR customers can look for the following malicious DLL SHA256 hashes:·

  • 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
  • dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
  • eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
  • c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
  • ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
  • 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
  • ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
  • a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
  • d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
  • c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
  • d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
  • 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7
  • 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712
  • abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417
  • 2ade1ac8911ad6a23498230a5e119516db47f6e76687f804e2512cc9bcfda2b0
  • db9e63337dacf0c0f1baa06145fd5f1007002c63124f99180f520ac11d551420
  • 0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589

Anyone not using Sophos EDR can activate a 30-day free trial and run the query across your estate:

Solarwinds Sophos Exclusions

  • If you are already running Sophos Central, activate the free trial directly within your console. Under ‘MORE PRODUCTS’ in the main navigation select ‘Free Trials’ and then select Intercept X Advanced with EDR, Intercept X Advanced for Server with EDR, or both.
  • If you not running Sophos Central, activate a free trial from our website.

Sophos Solarwinds Breach

All Sophos customers

SophosLabs has published the following anti-malware detections for the compromised SolarWinds components:

  • Troj/SunBurst-A
  • Troj/Agent-BGGA
  • Troj/Agent-BGGB
  • Troj/Agent-BGFZ

If you see one or more of these detections, you are exposed to potential attack.

SophosLabs has also published the following detections for the known second-stage backdoor components:

  • Mal/Sunburst-B

If you see one or more of these detections, you are likely a victim of targeted attack and should take additional remediation actions.

Warning: check your configuration for scan exclusions. Seehttps://twitter.com/ffforward/status/1338785034375999491

Solarwinds breach details

SophosLabs is in the process of releasing IPS signatures that identify Command-and-Control traffic from the active exploitation stages of the attack. The list of IPS signatures to monitor on Sophos XG Firewall is:

  • 56662 – MALWARE-CNC Win.Backdoor.Sunburst inbound connection attempt
  • 56660 – MALWARE-CNC Win.Backdoor.Sunburst outbound connection attempt
  • 56665 – MALWARE-CNC Win.Backdoor.Sunburst outbound connection attempt
  • 56661 – MALWARE-CNC Win.Backdoor.Sunburst outbound connection attempt
Vpn

If you see one or more of these IPS detections, you are likely a victim of targeted attack and should take additional remediation actions.

We have blocked all associated IP and domain indicators.

We have also revoked trust on the compromised SolarWinds certificate used in these attacks.

Sophos Application Control detects all versions of SolarWinds Orion as “SolarWinds MSP Agent”. Application Control is an optional setting – read the Help Guide for instructions on how to enable it, and add SolarWinds to the list of apps you want to block.

SophosLabs is continuing to investigate the attack and will be providing additional protection as necessary. Please monitor this location for further updates.

What do to if you are impacted

If you are running a compromised version, we recommend that you isolate the affected SolarWinds servers from the network.

We also recommend rebuilding all impacted SolarWinds servers and installing Orion Platform version 2020.2.1 HF 2 which is now available. See https://www.solarwinds.com/securityadvisory for more details.

We will be releasing further incident response guidance shortly. Contact your security team or partner for advice and support where needed.

Sophos and SolarWinds

Sophos is a SolarWinds Orion Customer. Upon receiving notification from SolarWinds, Sophos initiated incident response. We have undertaken incident response steps, which we also published at https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/ in the context of recommendations to other threat responders. In addition to incident response measures, we have now also undertaken precautionary forensics on our SolarWinds infrastructure, and our current assessment is that Sophos was not targeted in this attack.

Change log

2020-12-18 22:35 UTC Updated “Sophos and SolarWinds” section

2020-12-18 16:28 UTC Updated “Sophos EDR customers” section with new malicious DLL SHA256 hashes.

2020-12-16 14:03 UTC Added Troj/SunBurst-A to anti-malware detections

2020-12-16 12:40 UTC Updated to state that Orion Platform version 2020.2.1 HF 2 is now available

2020-12-16 12:27 UTC Updated to advise that the Sophos MTR team has now contacted all affected MTR customers

2020-12-15 22:04 UTC Added Sophos detection names for second-stage backdoor components and XG IPS signatures for command and control traffic

2020-12-15 21:00 UTC Added additional Sophos detections; add an additional Hash; add signatures to monitor for

2020-12-15 12:24 UTC Added warning to check your configuration for exclusions

2020-12-15 12:06 UTC Added link to Application Control help guide, and to advise that Application Control is an optional setting that needs to be enabled.

2020-12-15 09:30 UTC Updated to add Mal/Sunburst-A to the list of Sophos detections; provide the Sophos AppControl detection; advise that we have blocked all associated IPs and domain indicators; add three further Hashes; and provide link to the playbook.

2020-12-14 18:54 UTC Updated to advise that SophosLabs has revoked trust on the compromised SolarWinds certificate used in these attacks

Sophos CEO Kris Hagerman said the SolarWinds hack underscores the need for partners and customers to think beyond internal security and consider supply chain risk.

The more than 250 federal agencies and businesses who had their networks accessed because of the SolarWinds attack didn’t have their own security estates used as the attack vector, Hagerman said. Instead, Hagerman said the SolarWinds hackers came in through the doors of other vendors, whether it be cloud vendors or IT systems management vendors.

“You cannot think about your security only in the context of, ‘How well am I secured?’” Hagerman said during an interview at Best of Breed (BoB) Winter 2021, hosted by CRN parent The Channel Company. “You’ve got to go beyond that to say, ‘How well am I secured and how well am I securing everything that I connect to?’ I mean, it’s a daunting undertaking.”

[Related: Mimecast Breach Linked To SolarWinds Hack, Allowed Cloud Services Access]

The SolarWinds hack will force every single channel partner to be security aware and security literate regardless of if they actually sell cybersecurity products or not, Hagerman said. As more information has emerged, Hagerman said it’s become clear that the attackers not only used vendors like SolarWinds but also compromised Microsoft resellers and leveraged them as a vector to attack their customers.

As a result, Hagerman said the SolarWinds hackers were able to move laterally from corporate environments to cloud environment and back again without facing much resistance.

“This SolarWinds incident is probably one of the most dramatic and impactful security incidents of the past decade,” Hagerman said. “And it has all sorts of pretty important implications for companies of all sizes, and in particular for the channel.”

Demand for Towerwall’s application penetration testing has soared since the SolarWinds attack became public, with very large organizations wanting to ensure their developers are coding according to the Software Development Life Cycle (SDLC) plan, according to Michelle Drolet, co-founder and CEO of the Framingham, Mass.-based solution provider.

Towerwall also looks at all the roles inside an application to ensure that users aren’t able to switch roles with one another or escalate privileges, and can put together an actionable plan for developers to do remediation, Drolet said. By looking at the IP an application is sitting on and doing penetration tests, clients can move beyond certifications and verify the security of a third-party application themselves.

“Vendor risk management has become a big part of any cybersecurity program, and it’ll continue,” Drolet said. “We don’t need to boil the ocean, but if we do things thoughtfully and according to the risk tolerance of a specific organization, we will have success keeping the bad guys at bay.”

Hagerman said the SolarWinds breach has also put boards of directors on high alert, with pretty much every responsible board asking within 48 hours of the hack going public Dec. 13 if they could have been similarly compromised. Companies of all sizes need to have a good answer to that, so Hagerman said they’re turning to channel partners for visibility into potential attack vectors.

“Whether they are SMBS of 50, 100, 200 employees or enterprise organizations of 500,000 employees, those organizations face the same kinds of threats,” Hagerman said. “The channel is going to have to help them figure out how to protect themselves against those threats efficiently.”

Hagerman compared the SolarWinds attack to somebody robbing a home by tunneling under the house, waiting for the homeowner to go on vacation, and then drilling holes up underneath the house. While partners should ensure they can detect and are protected against those kinds of sophisticated attacks, Hagerman recommended that solution providers first ensure they’re getting the basics right.

“Before you worry about people tunneling under your house, make sure you lock your front door and your back door,” Hagerman said. “Make sure all your windows are locked. Make sure that you’ve got lights turned on at night on your front porch and your back porch. Make sure that you’ve got a security camera set up. Make sure you’ve got some motion detectors.”

Once partners have a well-organized home operation, Hagerman said they should then turn their attention to preventing, detecting and responding to more sophisticated attacks, ideally in an automated fashion. Customers often need help managing and monitoring their endpoints, as well as determining how to best respond in real time to an active attack, according to Hagerman.

“Once an attack like this occurs, it’s effectively a race,” Hagerman said. “It’s a race between the bad guys who were moving laterally and everywhere they can in the network to find sensitive information and then get it out of there. And it’s a race for the good guys to identity where they are, detect it, and ensure that they kick them out and protect the data.”

Clients need a broad and deep approach to security that goes beyond firewalls and endpoint protection to thwart sophisticated threat actors, said Douglas Grosfield, president and CEO of Kitchener, Ontario-based Five Nines IT Solutions. A comprehensive security strategy must include data leakage protection, segregating networks and limiting the scope and scale of what systems have access to, Grosfield said.

The SolarWinds attack has also made customers hyper-aware of what can go wrong for their business from a security standpoint, Grosfield said. As a result, Grosfield said there’s an opportunity for solution providers to have a deeper conversation around internal security practices, supply chain risk and security awareness training that gives employees a better sense of what the threat landscape looks like.

“Customers are thinking about third-party security,” Grosfield said. “We’ve all learned some lessons from SolarWinds, and it’s proof positive that security is about more than minding your own Ps and Qs.”





Comments are closed.